Solved: Re: Issue port-forwarding on Cisco ASA

UZaman3 · ‎09-18-2024

Hello!

We have a Cisco ASA running version 9.18.4.22 that we are trying to do port forwarding on. Right now an endpoint hits the outside interface ip and should forward the traffic to one of our servers that sits on the inside interface. I had set this up originally on our previous ASA (5516) but upgraded last week to an FP-1150 and it has not worked since. Here are the configs for this specific traffic. Everything else on the network works as intended.

object network SFTP-Server
host 10.10.10.100

object-group network CMS-Network_SFTP
network-object host 1.1.1.1
network-object host 1.1.1.2

access-list inside-in extended permit tcp any gt 1023 object SFTP-Server eq 11022

object network SFTP-Server
nat (inside,outside) static interface service tcp 11022 11022

I see the traffic coming in on the outside interface when I do a capture but it doesn't look like it's getting to the server:

302: 14:30:39.897094 1.1.1.1.57258 > outside-int-ip.11022: S 38873240:38873240(0) win 29040 <mss 1380,sackOK,timestamp 91101318 0,nop,wscale 3>
303: 14:30:40.886794 1.1.1.1.57258 > outside-int-ip.11022: S 38873240:38873240(0) win 29040 <mss 1380,sackOK,timestamp 91101418 0,nop,wscale 3>
304: 14:30:42.886840 1.1.1.1.57258 > outside-int-ip.11022: S 38873240:38873240(0) win 29040 <mss 1380,sackOK,timestamp 91101618 0,nop,wscale 3>
305: 14:30:46.896788 1.1.1.1.57258 > outside-int-ip.11022: S 38873240:38873240(0) win 29040 <mss 1380,sackOK,timestamp 91102019 0,nop,wscale 3>

Any help would be greatly appreciated.

UZaman3 · ‎09-20-2024

Hello everyone,

I was able to figure out a way to get it to work. We used to have web servers that sat behind this firewall that we did port-forwarding too on https and had no issue. We tore those down about a year ago but kept the SFTP server. The port forwarding configuration worked just fine until last week when we upgraded them to a Firepower 1150 running in ASA mode. Here is the configuration that worked for the port forwarding - hope it saves folks trouble. Also, thanks everyone for the help! Definitely helped me get to the solution that works.

object network SFTP-Server
host 10.10.10.100
object service SFTP-NAT
service tcp source eq 11022

access-list outside-in extended permit tcp any object SFTP-Server eq 11022

nat (inside,outside) source static SFTP-Server interface service SFTP-NAT SFTP-NAT

Next week I am going to harden that ACL a bit more to change the source from any to a specific object group that identifies the few sources that try to reach the SFTP server. Thanks again for the help!

View solution in original post

MHM Cisco World · ‎09-18-2024

I dont understand the NAT and ACL you apply can you more elaborate

MHM

ceaquib · ‎09-18-2024

NAT (Network Address Translation) and ACL (Access Control List) in simpler terms, how they work, and why they’re important in networking.

NAT (Network Address Translation)
What it is:
NAT is a technique used to translate private IP addresses within a local network to a public IP address when traffic goes out to the internet. It’s mainly used because private IP addresses (like those in the range of 192.168.x.x) cannot be routed on the internet.

How it works:
Let’s say you have a local network with devices having private IPs, but only one public IP to connect to the internet. NAT will translate each device’s private IP to the public IP when it leaves the local network. This is how:

Source NAT (SNAT): This is when your local device (with a private IP) wants to communicate with a server on the internet. NAT changes the source IP from private to public.

Destination NAT (DNAT): This is used when external devices on the internet want to communicate with a device inside the local network. NAT changes the destination IP from public to private.

Example:

Your PC with IP 192.168.1.10 sends a request to 8.8.8.8 (Google DNS).
The NAT router changes the source IP from 192.168.1.10 to the public IP 203.0.113.1.
The reply from 8.8.8.8 is sent back to the public IP, and NAT then translates it back to 192.168.1.10 internally.
ACL (Access Control List)
What it is:
An ACL is essentially a set of rules that you apply to your router or firewall to permit or deny traffic based on specific criteria like source IP, destination IP, protocol, or port.

How it works:
Think of it as a list of traffic rules applied to an interface (like inbound or outbound rules on a firewall). Each packet is checked against the rules in the ACL to determine whether it should be allowed through or blocked.

Standard ACLs: These filter traffic based only on the source IP address.

Extended ACLs: These can filter traffic based on multiple parameters, like:

Source IP
Destination IP
Protocol (TCP, UDP, ICMP, etc.)
Port number (HTTP: 80, HTTPS: 443, etc.)
Example:

An extended ACL rule might say: “Deny traffic from 192.168.1.0/24 to any destination using port 23 (Telnet).”
Another rule might say: “Allow traffic from any IP to 192.168.10.10 using port 443 (HTTPS).”
How NAT and ACL Work Together:
NAT helps hide internal IPs when communicating with the external world by translating them to a public IP.

ACL controls what traffic is allowed into or out of your network, so you can specify which IPs or services are accessible and which ones are blocked.

Scenario Example:
You have a local network with multiple devices that need to access the internet.
NAT will translate their private IP addresses to a single public IP when they access external websites.
You also have an ACL in place that restricts traffic from certain IP addresses or only allows specific types of traffic (e.g., only allowing HTTP or HTTPS but blocking FTP).
In short, NAT helps manage IP address translation, and ACL is your security mechanism to control which traffic is permitted or blocked.

Does this make it clearer?

MHM Cisco World · ‎09-19-2024

Friend

Below two object network

object network SFTP-Server <<- this I assume real IP of server
host 10.10.10.100

object-group network CMS-Network_SFTP <<- this mapped public IP of server which you don't use in NAT below
network-object host 1.1.1.1
network-object host 1.1.1.2

object network SFTP-Server <<- this auto NAT which I think first issue must be solve here'instead of this use manual NAT
nat (inside,outside) static interface service tcp 11022 11022

Nat(inside'outside) static object SFTP-Server interface service tcp 11022 11022

Then check.

MHM

balaji.bandi · ‎09-18-2024

As i understand and give some clarification

you want use external interface IP to SFP to inside server 10.10.10.100 ?

then below config should work :

object network SFTP-Server
nat (inside,outside) static interface service tcp 11022 11022

But you have ACL anything outside ? then you need to allow that traffic also.

example :

access-list outside-in extended permit tcp any any eq 11022

access-group outside-in in interface outside

As you mentioned the logs you see coming to firewall not reaching Server ?

does server know how to reach to router and run Wireshark at SFTP Server and see is the packets reaching there ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

UZaman3 · ‎09-18-2024

So I do have ACLs on the outside interface as well but it is still not allowing the traffic. I am not seeing any translations for that nat statement either when we generate traffic. The server knows how to reach the router, it can get out to the internet and everything. When I run a packet-tracer, this is the result I get:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 13824 ns
Config:
object network SFTP-Server
nat (inside,outside) static interface service tcp 11022 11022
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f3b8d316320, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x7f3b4c009c30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.10.10.100, mask=255.255.255.255, port=11022, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=inside

UZaman3 · ‎09-20-2024

Hello everyone,

I was able to figure out a way to get it to work. We used to have web servers that sat behind this firewall that we did port-forwarding too on https and had no issue. We tore those down about a year ago but kept the SFTP server. The port forwarding configuration worked just fine until last week when we upgraded them to a Firepower 1150 running in ASA mode. Here is the configuration that worked for the port forwarding - hope it saves folks trouble. Also, thanks everyone for the help! Definitely helped me get to the solution that works.

object network SFTP-Server
host 10.10.10.100
object service SFTP-NAT
service tcp source eq 11022

access-list outside-in extended permit tcp any object SFTP-Server eq 11022

nat (inside,outside) source static SFTP-Server interface service SFTP-NAT SFTP-NAT

Next week I am going to harden that ACL a bit more to change the source from any to a specific object group that identifies the few sources that try to reach the SFTP server. Thanks again for the help!